“When the facts change, I change my mind,” the economist John Maynard Keynes reportedly said. The same is true of governance: when rules change, the processes for following them need to evolve. A webinar from BH Consulting and Certification Europe this month will explore cyber governance in depth.
The two-hour webinar will take place at 2pm on Wednesday 21 October and is free of charge to attend. The context for this event is the emergence of international regulations that organisations need to comply with. The EU General Data Protection Regulation [GDPR] and the upcoming ePrivacy Regulations are driving big changes in the way organisations process and protect data.
Added to that is the continued uncertainty around Brexit and what implications that could have for information security and privacy. At the same time, organisations face an ever-changing array of cyber threats, so they need a way to respond.
Speaking from experience: introducing the webinar presenters
Three presenters are scheduled for the event: Brian Honan, CEO of BH Consulting, Valerie Lyons, the company’s chief operations officer, and Luke Feeney, ISO 27001 lead auditor and trainer with Certification Europe. All are experts in cybersecurity, data protection, standards and certifications. Together, they will cover the following topics:
- How ISO 27001 can help in managing compliance risk post-Brexit
- Implications of the EU Cybersecurity Act and ePrivacy Regulations for governance and rules and how ISO 27001 can help
- Using ISO 27001 and the ISO 27701 extension to manage privacy programmes
- Business implications of GDPR and how ISO 27001 can help address them.
The webinar will also look at how to manage the changing governance landscape with an information security management system [ISMS]. An ISMS is the cornerstone of the ISO 27001 Information Security Standard; helping an organisation to secure its data and demonstrate compliance.
Identifying data privacy risk – and doing something about it
Reaching the standard starts with identifying where an organisation holds its key information – whether that’s in digital or physical format. Then, it needs to assess the risk to that information, and establish policies around it.
As we blogged before, a no-deal Brexit scenario could have a big impact on Irish companies’ data protection obligations. It potentially affects companies that outsource key functions such as HR, IT, payroll, or marketing to providers in the UK. UK-based companies dealing with European companies and data subjects may also have to review their work practices.
Even if the UK Government incorporates GDPR principles into its own data protection law, that could change over time. So Irish-based organisations communicating with UK data subjects will probably need to watch for any future changes to UK data protection regulations.
Where ISO 27001 helps in managing compliance risk is that it’s an internationally agreed and globally recognised standard. This means it applies regardless of any geopolitical changes – whatever the outcome of Brexit. In effect, the standard sets out the requirements for an ISMS which is a systematic approach for protecting company confidential information. It enables organisations to manage their information security risks using a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving an ISMS.
Business implications of GDPR
Even now, two years on from GDPR, we haven’t yet reached the stage of cultural change. This is the tipping point where organisations adopt privacy programmes because it’s right, not just because regulations say they must. Thinking about the regulation in those terms shows the extent of how it affects business practice, processes and culture. Following the spirit, not just the letter, of the law is much more than just a tick-the-box compliance exercise.
In many ways, the growing focus on governance is a natural evolution of security practice. Governance frameworks, helped by security assessments and certifications, provide a consistent model of good practice for organisations. They help to manage security more effectively, and they could increase public trust in the organisations that use them.